Attachmate Reflection FTP Client Stack Buffer Overflow Remote Code Execution Vulnerability

ID ZDI-15-008
Type zdi
Reporter Anonymous
Modified 2015-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Attachmate Reflection FTP client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw manifests while parsing the response to a PWD command. The client copies part of the response to a fixed-length stack buffer. By supplying a sufficiently large response, an attacker can exploit this condition to achieve code execution under the context of the user.